Re: Activity on Signature 31359

Yes, we're seeing the same. Started with Signature version 528.0 for us at the noon auto update today. It was frequently blocking http responses from our web server to web clients. We had to disable the signature till we figure out what is going on. The full name of the signature is: Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability

Re: Activity on Signature 31359

"Microsoft has indicated that targeted attacks have been observed in the wild. Current exploits may be prevented on Windows systems that implement Data Execution Prevention (DEP). Windows Vista and 7, along with Windows Server 2003 and 2008, incorporate DEP, reducing risk on these systems."

The extra special bonus? No patch is available at the moment ... fun.

"Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not available."

This signature was just added in S528, which rolled out within the last 24 hours. That might explain why you haven't seen it until now.

Re: Activity on Signature 31359

Blayne,

There's nothing in the trigger packet tab. Here's a copy of the "show all details" on the event for www.ap.org (Associated Press). Also had one this morning for www.netflix.com. It's also copied below.

Re: Activity on Signature 31359

Hello,

We need to check on the captures what is triggering the signature, as of yet we need to see them with wireshark to analyze the payload. If possible can anyone providea packet capture of this nature, and also, would you please set some websites exmaples that are triggering the signature?

Re: Activity on Signature 31359

Ron, and anyone else who reported the issue,

In order for us to further determine what exactly is causing this signature to fire for your traffic, can you please provide me packet capture (pcap file) of the traffic on which the signature is firing on ?

Re: Activity on Signature 31359

Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
view more

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more